Skip to content
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Merge branch 'template-sample-data-update' of github.com:brianrufgsa/… Jan 22, 2020
assets WIP Nov 25, 2019
baselines
documents Removed redundant entry on Accepted Values tab Dec 16, 2019
resources Adding resources and README Dec 16, 2019
templates Expanded AC-2 example to reflect all parts, just as in the Word-based… Jan 6, 2020
.gitignore Added issue template for action items Jan 22, 2020
.spelling WIP Nov 26, 2019
README.md Fixing logo issue Dec 13, 2019

README.md

FedRAMP

Federal Risk and Authorization Management Program (FedRAMP) Automation

Based on the Open Security Controls Assessment Language (OSCAL)

December 16, 2019

The FedRAMP Program Management Office (PMO) has drafted FedRAMP-specific extensions and guidance to ensure our stakeholders can fully express a FedRAMP System Security Plan (SSP) using NIST's OSCAL SSP syntax.

We Want Your Feedback!

The FedRAMP PMO is releasing the following files for public review and comment:

  • FedRAMP OSCAL Registry: This registry is the authoritative source for all FedRAMP extensions to the OSCAL syntax, FedRAMP-defined identifiers, and accepted values. The draft for public comment is available here.
  • Guide to OSCAL-based FedRAMP System Security Plans: This document enables tool developers to generate OSCAL-based SSP files that are fully compliant with FedRAMP’s extensions, defined identifiers, and acceptable values. The draft for public comment is available here.
  • OSCAL-based FedRAMP SSP Template: The template file is pre-populated with FedRAMP extensions and defined-identifiers where practical. It also includes some sample data, and is the basis for the guidance document above. The draft for public comment is available in both XML and JSON formats.
  • FedRAMP Baselines: The FedRAMP baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS) in OSCAL (XML and JSON formats) are available here.

Please ask questions or provide feedback on the items above above either via email to info@fedramp.gov, as a comment to an existing issue, or as a new issue.

Dependencies

FedRAMP's work is based on NIST's OSCAL 1.0.0-Milestone2 release, and requires an understanding of the core OSCAL syntax, as well as NIST-provided resources to function correctly.

The following NIST resources are available:

NIST offers a complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baselines content is available for download in both ZIP and BZ2 formats.

Please ask questions or provide feedback on the above NIST dependencie either via email to oscal@nist.gov, as a comment to an existing issue, or as a new issue via the NIST OSCAL GitHub site.

FedRAMP looks forward to receiving your comments and sharing additional progress.

You can’t perform that action at this time.